Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects and generally slow computer


  • Please log in to reply
23 replies to this topic

#1 tjlw

tjlw

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 23 December 2009 - 08:53 PM

Hi - Have a Win XP SP3 that was infected with Internet Security 2010 - have removed it twice but still having issues such as google seraches being redirected to random sites and cannot boot up in Safe Mode but boots normally with no problem. Have run Malwarebytes, Adaware, Spybot, AVG, CCleaner and Tweaknow but cannot clean off whatever is left. Attached below is the Hijack this log file. Any help would be appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:54 PM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172081057140
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4156 bytes

Edited by Orange Blossom, 23 December 2009 - 10:46 PM.
Move to HJT. ~ OB


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 PM

Posted 29 December 2009 - 09:57 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 29 December 2009 - 12:22 PM

Hi - thanks so much for the reply - have had many things happen since the first post - Internet Security 2010 showed up again and disabled taskmgr, regedit, etc - I got that cleared off again last night. Main issues are:
1 - still redirecting my browser
2 - cannot boot in safe mode - did find a work around using Boot Safe which came with Super Spy Ware
3 - Beep and Serial are disabled in device manager
4 - IS2010 keeps showing up

I have checked to make sure I have most recent Java, upgraded to IE 7, ran EST, reinstalled Malwarebytes and ran Malware and Super Spy Ware in SafeMode - so I've been trying to fix it but not really any luck - this seems to be very ingrained.

I also ran Gmer last night so I attached that just in case you'd like to see it. Awaiting your next instructions! Thanks!

Here is the ComboFix log:

ComboFix 09-12-28.06 - Compaq_Owner 12/29/2009 9:37.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.233 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 00:04 . 2009-12-29 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-29 00:03 . 2009-12-29 00:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-28 23:59 . 2006-08-29 02:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2009-12-24 22:58 . 2009-12-24 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-24 22:57 . 2009-12-24 22:57 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-12-20 02:50 . 2009-12-20 02:50 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Sonic
2009-12-20 02:48 . 2009-12-20 02:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 08:02 . 2007-01-20 20:45 40168 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 08:02 . 2009-12-29 08:02 -------- d-----w- c:\program files\Microsoft
2009-12-29 08:02 . 2009-12-29 08:00 -------- d-----w- c:\program files\Windows Live
2009-12-29 08:01 . 2009-12-29 08:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-29 07:47 . 2009-12-29 07:47 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-29 06:53 . 2009-12-29 06:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 00:06 . 2009-12-29 00:06 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-28 04:10 . 2006-08-29 02:33 -------- d-----w- c:\program files\Netscape
2009-12-25 03:23 . 2009-12-25 03:23 -------- d-----w- c:\program files\ESET
2009-12-24 22:59 . 2009-12-24 22:59 52224 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-24 22:59 . 2009-12-24 22:59 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-24 22:58 . 2009-12-24 22:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-24 22:57 . 2009-12-24 22:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 02:22 . 2007-02-21 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-24 01:34 . 2009-12-23 22:50 -------- d-----w- c:\program files\Spyware Doctor
2009-12-24 01:34 . 2009-08-29 18:59 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-24 01:31 . 2009-08-29 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-21 17:19 . 2009-12-21 17:19 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-21 17:19 . 2009-12-21 17:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-21 17:19 . 2009-12-21 17:19 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 17:19 . 2009-12-21 17:19 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-21 17:18 . 2009-12-22 16:01 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-21 17:18 . 2009-12-22 16:01 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-21 17:18 . 2009-12-18 17:35 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-21 17:18 . 2009-12-22 16:01 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-21 17:18 . 2009-12-22 16:01 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-21 17:18 . 2009-11-10 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-16 18:53 . 2007-02-21 05:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 23:14 . 2009-12-29 06:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13 . 2009-12-29 06:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 00:02 . 2009-09-23 23:01 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-20 18:34 . 2009-11-20 18:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-20 18:34 . 2006-08-29 02:11 -------- d-----w- c:\program files\Java
2009-11-20 18:33 . 2009-11-20 18:33 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-20 18:33 . 2009-11-20 18:33 79488 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-17 20:14 . 2009-11-17 20:14 19900192 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr710_en_US.exe
2009-11-10 22:12 . 2008-05-24 19:21 -------- d-----w- c:\program files\AVG
2009-10-29 07:46 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 23:03 . 2009-09-23 23:01 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-08-29 19:33 . 2009-08-29 19:33 13642 ----a-w- c:\program files\Common Files\ohory.dl
2009-08-28 13:09 . 2009-08-28 13:09 19819 ----a-w- c:\program files\Common Files\fucity.dl
2009-08-28 13:09 . 2009-08-28 13:09 12343 ----a-w- c:\program files\Common Files\ukozuzap.exe
2009-08-28 13:09 . 2009-08-28 13:09 14691 ----a-w- c:\program files\Common Files\juvyhima.ban
2009-08-28 13:09 . 2009-08-28 13:09 12799 ----a-w- c:\program files\Common Files\iwycoxuhug.com
2009-08-28 01:00 . 2009-08-28 01:00 19114 ----a-w- c:\program files\Common Files\avyco.ban
2009-08-27 04:15 . 2009-08-27 04:15 12015 ----a-w- c:\program files\Common Files\ojyruseli.bin
2009-08-26 02:02 . 2009-08-26 02:02 17797 ----a-w- c:\program files\Common Files\jahe.lib
2009-08-26 00:33 . 2009-08-26 00:33 17490 ----a-w- c:\program files\Common Files\ruvexaqace.dll
2009-08-25 22:53 . 2009-08-25 22:53 15995 ----a-w- c:\program files\Common Files\ixuqek.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-21 2033432]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-28 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-8-28 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-21 17:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/2/2009 4:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/21/2009 10:19 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/21/2009 10:19 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [3/29/2007 9:37 AM 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 09:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3762966820-866554889-2270715484-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-12-29 10:12:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 17:12

Pre-Run: 55,347,666,944 bytes free
Post-Run: 55,488,782,336 bytes free

- - End Of File - - A5A322158F1EBE5947CC93CE3083ABF6

Attached Files



#4 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 29 December 2009 - 08:10 PM

Hi - before I got your directions today I was going to run MBAM again in Safe mode using Boot Safe to get to Safe Mode (I reinstalled MBAM as some people in the forums had said this virus does something to it). The last time I ran MBAM (before reinstalling) it found nothing but today the new installed version found 7 infections - It said it removed them all and needed to reboot - the reboot got stuck and I had to make the computer shut down then restart. Here is the log and while I'm waiting for your response I will rerun this to make sure everything was removed properly.

Malwarebytes' Anti-Malware 1.42
Database version: 3449
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

12/29/2009 5:57:50 PM
mbam-log-2009-12-29 (17-57-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 231530
Time elapsed: 29 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP757\A0118487.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP757\A0118519.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP757\A0118530.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP757\A0118536.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP758\A0119618.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP761\A0119748.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP763\A0119893.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Ran MBAM in Safe Mode using Boot Safe again - Full Scan - nothing was detected. Please let me know what to do next. Thanks!

Edited by tjlw, 29 December 2009 - 11:21 PM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 PM

Posted 30 December 2009 - 09:15 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\program files\Common Files\ohory.dl
c:\program files\Common Files\fucity.dl
c:\program files\Common Files\ukozuzap.exe
c:\program files\Common Files\juvyhima.ban
c:\program files\Common Files\iwycoxuhug.com
c:\program files\Common Files\avyco.ban
c:\program files\Common Files\ojyruseli.bin
c:\program files\Common Files\jahe.lib
c:\program files\Common Files\ruvexaqace.dll
c:\program files\Common Files\ixuqek.sys


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

Then,

We Need to check for Rootkits with RootRepeal
NOTE: This is for scanning only. Do not attempt to repair anything with this tool.
Valid program entries may be listed in the results, and removal may make your machine unstable!

  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your topic.


#6 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 30 December 2009 - 10:41 AM

Thanks for your help Grinler! Running RootRepeal now but here is ComboFix log:

ComboFix 09-12-29.05 - Compaq_Owner 12/30/2009 8:03.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.223 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\Common Files\avyco.ban"
"c:\program files\Common Files\fucity.dl"
"c:\program files\Common Files\iwycoxuhug.com"
"c:\program files\Common Files\ixuqek.sys"
"c:\program files\Common Files\jahe.lib"
"c:\program files\Common Files\juvyhima.ban"
"c:\program files\Common Files\ohory.dl"
"c:\program files\Common Files\ojyruseli.bin"
"c:\program files\Common Files\ruvexaqace.dll"
"c:\program files\Common Files\ukozuzap.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
c:\program files\Common Files\avyco.ban
c:\program files\Common Files\fucity.dl
c:\program files\Common Files\iwycoxuhug.com
c:\program files\Common Files\ixuqek.sys
c:\program files\Common Files\jahe.lib
c:\program files\Common Files\juvyhima.ban
c:\program files\Common Files\ohory.dl
c:\program files\Common Files\ojyruseli.bin
c:\program files\Common Files\ruvexaqace.dll
c:\program files\Common Files\ukozuzap.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-29 00:04 . 2009-12-29 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-29 00:03 . 2009-12-29 00:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-28 23:59 . 2006-08-29 02:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2009-12-24 22:58 . 2009-12-24 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-24 22:57 . 2009-12-24 22:57 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-12-20 02:50 . 2009-12-20 02:50 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Sonic
2009-12-20 02:48 . 2009-12-20 02:48 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 08:02 . 2007-01-20 20:45 40168 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 08:02 . 2009-12-29 08:02 -------- d-----w- c:\program files\Microsoft
2009-12-29 08:02 . 2009-12-29 08:00 -------- d-----w- c:\program files\Windows Live
2009-12-29 08:01 . 2009-12-29 08:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-29 07:47 . 2009-12-29 07:47 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-29 06:53 . 2009-12-29 06:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 04:10 . 2006-08-29 02:33 -------- d-----w- c:\program files\Netscape
2009-12-25 03:23 . 2009-12-25 03:23 -------- d-----w- c:\program files\ESET
2009-12-24 22:58 . 2009-12-24 22:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-24 22:57 . 2009-12-24 22:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 02:22 . 2007-02-21 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-24 01:34 . 2009-12-23 22:50 -------- d-----w- c:\program files\Spyware Doctor
2009-12-24 01:34 . 2009-08-29 18:59 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-24 01:31 . 2009-08-29 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-21 17:19 . 2009-12-21 17:19 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-21 17:19 . 2009-12-21 17:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-21 17:19 . 2009-12-21 17:19 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-21 17:19 . 2009-12-21 17:19 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-21 17:18 . 2009-11-10 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-16 18:53 . 2007-02-21 05:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 23:14 . 2009-12-29 06:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13 . 2009-12-29 06:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 18:34 . 2009-11-20 18:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-20 18:34 . 2006-08-29 02:11 -------- d-----w- c:\program files\Java
2009-11-10 22:12 . 2008-05-24 19:21 -------- d-----w- c:\program files\AVG
2009-10-29 07:46 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-21 2033432]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-28 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-8-28 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-21 17:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/2/2009 4:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/21/2009 10:19 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/21/2009 10:19 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/21/2009 10:18 AM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [3/29/2007 9:37 AM 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 08:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3762966820-866554889-2270715484-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3928)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-12-30 08:34:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-30 15:33
ComboFix2.txt 2009-12-29 17:12

Pre-Run: 55,459,016,704 bytes free
Post-Run: 55,461,343,232 bytes free

- - End Of File - - 9356C5E6E9EEEFEB129C15A5ACE3EBD8

#7 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 30 December 2009 - 10:58 AM

Rootrepeal Report - let me know what to do next... Thanks!


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/30 08:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF7904000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF765C000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2509000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B12000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7B1C000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF529000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\softwaredistribution\eventcache\{32585dcd-0d00-439c-ac8e-f1d4313b425c}.bin
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\program files\compaq connections\5577497\users\default\data\inuse.txt
Status: Allocation size mismatch (API: 40, Raw: 24)

Path: d:\system volume information\_restore{00eff98b-5705-4d9a-ba78-7681a60afb54}\rp752\change.log.2
Status: Allocation size mismatch (API: 16384, Raw: 4096)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf762c87e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf762cbfe

==EOF==

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 PM

Posted 31 December 2009 - 08:23 AM

Please save this file to your desktop. Once downloaded, click on Start->Run, and then copy-paste the following bolded command below into the Open field. When the command is in the Open field, click on the OK button.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When the program has finished there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

#9 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 31 December 2009 - 09:59 AM

Running from: C:\Documents and Settings\Compaq_Owner\desktop\win32kdiag.exe
Win32Diag log --- let me know what to do next!


Log file at : C:\Documents and Settings\Compaq_Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 PM

Posted 31 December 2009 - 05:47 PM

Let me see another gmer log please. Btw, are you still being redirected?

#11 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 01 January 2010 - 11:33 PM

Here is the gmer log - have not seen any redirects but have tried to not use this computer very much. What was this malware and how can I avoid this in the future? I saw on one post something about kenco being a new program to help others with this redirect virus - is this the same thing? Was my system really compromised or is this just an annoyance virus?

Thanks again for all your help...


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-01 21:28:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kwldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF762C87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF762CBFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 PM

Posted 02 January 2010 - 04:15 PM

You had the vundo trojan as well as other malware. You look clean now, though. Play around with the computer and let me know how it feels and if it looks good, we will do the last steps.

You should also use the following program to look for older and insecure programs:

http://secunia.com/vulnerability_scanning/online/

#13 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 January 2010 - 10:55 PM

Redirect problem seems to be fixed. I unloaded the old software that secunia suggested and reinstalled the newer versions. Safe Mode is finally working again from the F8 key on start up so that is fixed too.

Only 2 problems I see are the Beep and Serial in the Device Manager (have to Show hidden items) are still showing with the yellow exclamation point. When I try to Start them, it says the system cannot find the file. I assume this means the driver - any idea where to get these? Or should I try to uninstall and will they automatically reinstall?

Let me know what to do next. I won't have easy accessibility to the computer next week but will try to work on it and do your last steps as quickly as I can.

Thanks again for all the help.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:07 PM

Posted 03 January 2010 - 08:34 PM

You may want to run sfc /scannow to replace any missing system files.

Instructions on how to do this can be found here:

http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

#15 tjlw

tjlw
  • Topic Starter

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 05 January 2010 - 11:21 AM

Grinler - I'm not at this computer this week - give me a few days to get back to it. Also apparently we had a reoccurence of the virus - I'll try to pull it off again (Antivirus 2010) and rerun hijack this, gmer, combofix and get you the logs again... - but it will be till the weekend - so please don't close this yet - not sure why MBAM didn't keep it off :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users